b"NATIONAL CREDIT UNION ADMINISTRATION\n    OFFICE OF INSPECTOR GENERAL\n\n\n              INDEPENDENT EVALUATION OF THE\n           NATIONAL CREDIT UNION ADMINISTRATION\n              INFORMATION SECURITY PROGRAM\n                           2007\n\n\n         Report #OIG-07-09           September 12, 2007\n\n\n\n\n                         William A. DeSarno\n                         Inspector General\n\n\n    Released by:                       Auditor-in-Charge:\n\n\n\n\n    James Hagen                       W. Marvin Stith, CISA\n    Asst IG for Audits                Sr Information Technology Auditor\n\x0c            INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                          INFORMATION SECURITY PROGRAM - 2007\n                                    Report #OIG-07-09\n\n                                       CONTENTS\n\nSection                                                                          Page\n\n   I      EXECUTIVE SUMMARY                                                        1\n\n  II      BACKGROUND                                                               2\n\n  III     OBJECTIVE                                                                3\n\n  IV      METHODOLOGY AND SCOPE                                                    3\n\n  V       RESULTS IN DETAIL                                                        4\n\n               Document Management                                                 4\n\n               Continuing education requirements                                   4\n\n               Employee enter/exit/change procedures                               6\n\n               E-Authentication risk assessments                                   6\n\n               Security configuration guide                                        7\n\n               Incident response procedures                                        8\n\n               Personnel security awareness training                               8\n\n               Plan of Action and Milestones (POA&M)                               9\n\n               Security controls testing                                          10\n\n               Segregation of duties                                              11\n\n               Vulnerability management                                           12\n\x0c              INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                            INFORMATION SECURITY PROGRAM - 2007\n                                      Report #OIG-07-09\n\n                               I. EXECUTIVE SUMMARY\nThe Office of Inspector General (OIG) for the National Credit Union Administration (NCUA)\nengaged Grant Thornton LLP to independently evaluate its information systems and security\nprogram and controls for compliance with the Federal Information Security Management Act\n(FISMA), Title III of the E-Government Act of 2002.\n\nGrant Thornton evaluated NCUA\xe2\x80\x99s security program through interviews, documentation reviews,\ntechnical configuration reviews, social engineering testing, and sample testing. We evaluated\nNCUA against standards and requirements for federal government agencies such as those\nprovided through FISMA, National Institute of Standards and Technology (NIST) Special\nPublications (SPs), and Office of Management and Budget (OMB) memorandums. We\nconducted an exit conference with NCUA on June 29, 2007, to discuss evaluation results.\n\nThe NCUA made noticeable progress in strengthening its Information Technology (IT) security\nprogram during Fiscal Year (FY) 2007. Notable accomplishments include:\n\n   \xe2\x80\xa2   Completion of Certification and Accreditation packages for all of its FISMA systems.\n   \xe2\x80\xa2   Implementation of additional encryption protection for data on examiner laptops.\n\nWhile NCUA made commendable progress in addressing the deficiencies reported last year,\nmanagement could still improve IT security controls in the following areas:\n\n   \xe2\x80\xa2   NCUA needs a better document management program.\n\n   \xe2\x80\xa2   NCUA has not implemented continuing education requirements for its Information\n       Technology employees.\n\n   \xe2\x80\xa2   Employee enter/exit/change procedures do not ensure timely removal of terminated\n       employees\xe2\x80\x99 access to NCUA systems.\n\n   \xe2\x80\xa2   E-Authentication risk assessments for its systems need to be completed.\n\n   \xe2\x80\xa2   A formal agency-wide security configuration guide should be developed.\n\n   \xe2\x80\xa2   Incident response procedures should be followed.\n\n   \xe2\x80\xa2   Personnel security awareness training needs to be completed in FY 2007.\n\n   \xe2\x80\xa2   NCUA\xe2\x80\x99s Plan of Actions and Milestones (POA&M) process needs improvement.\n\n   \xe2\x80\xa2   Security controls testing for all of NCUA\xe2\x80\x99s FISMA systems needs to be completed.\n\n   \xe2\x80\xa2   Segregation of duties should be maintained or compensating controls established.\n\n   \xe2\x80\xa2   NCUA vulnerability management needs improvement.\n\n\nWe appreciate the courtesies and cooperation provided to our auditors during this audit.\n\n\n\n\n                                               1\n\x0c              INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                            INFORMATION SECURITY PROGRAM - 2007\n                                      Report #OIG-07-09\n\n\n\n\n.\n                                    II. BACKGROUND\nThis section provides background information on FISMA and NCUA.\n\nFEDERAL INFORMATION SECURITY MANAGEMENT ACT\n\nThe President signed into law the E-Government Act (Public Law 107-347), which includes Title\nIII, Information Security, on December 17, 2002. FISMA permanently reauthorized the\nframework laid out in the Government Information Security Reform Act of 2000 (GISRA), which\nexpired in November 2002. FISMA continues annual review and reporting requirements\nintroduced in GISRA. In addition, it includes new provisions aimed at further strengthening the\nsecurity of the federal government\xe2\x80\x99s information and information systems, such as development\nof minimum standards for agency systems. In general, FISMA:\n\n       \xe2\x80\xa2       Lays out a framework for annual information technology security reviews,\n               reporting, and remediation plans.\n\n       \xe2\x80\xa2       Codifies existing OMB security policies, including those specified in Circular A-\n               130, Management of Federal Information Resources, and Appendix III.\n\n       \xe2\x80\xa2       Reiterates security responsibilities outlined in the Computer Security Act of 1987,\n               Paperwork Reduction Act of 1995, and Clinger-Cohen Act of 1996.\n\n       \xe2\x80\xa2       Tasks NIST with defining required security standards and controls for federal\n               information systems.\n\nOMB issued the 2007 Reporting Instructions for the Federal Information Security Management\nAct on July 25, 2007. This document provides clarification to agencies for implementing,\nmeeting, and reporting FISMA requirements to OMB and Congress.\n\nNATIONAL CREDIT UNION ADMINISTRATION (NCUA)\n\nNCUA is the independent federal agency that charters, supervises, and insures the nation\xe2\x80\x99s\nfederal credit unions, and it insures many state-chartered credit unions as well. NCUA is funded\nby the credit unions it supervises and insures. NCUA's mission is to foster the safety and\nsoundness of federally-insured credit unions and to better enable the credit union community to\nextend credit for productive and provident purposes to all Americans, particularly those of\nmodest means.\n\nNCUA strives to ensure that credit unions are empowered to make necessary business\ndecisions to serve the diverse needs of its members and potential members. It does this by\nestablishing a regulatory environment that encourages innovation, flexibility, and a continued\nfocus on attracting new members and improving service to existing members.\n\nNCUA has a full-time three-member board appointed by the President of the United States and\nconfirmed by the Senate. The Board consists of a chairman, vice chairman, and member. No\nmore than 2 board members can be from the same political party, and each member serves a\n\n\n\n                                                2\n\x0c               INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                             INFORMATION SECURITY PROGRAM - 2007\n                                       Report #OIG-07-09\n\nstaggered 6-year term. NCUA\xe2\x80\x99s board regularly meets in open session each month with the\nexception of August, in Alexandria, Virginia. In addition to its central office in Alexandria, NCUA\nhas five regional offices and the Asset Management and Assistance Center (AMAC).\n\n\n\n                                       III. OBJECTIVE\nThe engagement objective was to assist the OIG in performing an independent evaluation of\nNCUA information security policies and procedures for compliance with FISMA and federal\nregulations and standards. We evaluated NCUA\xe2\x80\x99s efforts related to:\n\n       \xe2\x80\xa2   Efficiently and effectively managing its information security program\n       \xe2\x80\xa2   Meeting responsibilities under FISMA\n       \xe2\x80\xa2   Remediating prior audit weaknesses relating to FISMA and other security\n           weaknesses identified\n       \xe2\x80\xa2   Implementing its plans of action and milestones (POA&M)\n\nAdditionally, the audit was required to provide sufficient supporting evidence of NCUA\xe2\x80\x99s security\nprogram evaluation to enable the OIG to report to OMB.\n\n\n                          IV. METHODOLOGY AND SCOPE\nWe compared NCUA\xe2\x80\x99s information security program and practices with FISMA and federal\ncriteria contained in the Government Accountability Office\xe2\x80\x99s Federal Information System\nControls Audit Manual (FISCAM), as well as other relevant guidance from NIST and OMB.\n\nWe reviewed information security control techniques for all of NCUA\xe2\x80\x99s major information\nsystems on a rotational basis. During this evaluation, we assessed NCUA controls over security\nplanning and program management, segregation of duties, security awareness training, and\nperformed a limited scope vulnerability assessment. In addition, we evaluated additional areas\nrequired to report under OMB M-07-19 such as reviews of Certification and Accreditation (C&A)\ndocumentation including system security plans, risk assessments, contingency plans, and\ncertification reports. Furthermore, we reviewed existing information security controls and\nidentified weaknesses impacting certain components affecting General Support System (GSS)\nsecurity.\n\nWe conducted a focused vulnerability assessment this year over NCUA\xe2\x80\x99s SAP system, Voice\nOver Internet Protocol (VOIP), and the Automated Integrated Regulatory Examination System\n(AIRES).\n\nWe performed our engagement in accordance with generally accepted government auditing\nstandards (GAGAS), audit standards promulgated by the American Institute of Certified Public\nAccountants (AICPA), and information systems standards issued by the Information Systems\nAudit & Control Association (ISACA).\n\n\n\n\n                                                 3\n\x0c                INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                              INFORMATION SECURITY PROGRAM - 2007\n                                        Report #OIG-07-09\n\n                                  V. RESULTS IN DETAIL\nSecurity program planning and management controls are designed to provide the framework\nand continuing cycle of activity for managing risk, developing security policies, assigning\nresponsibilities, and monitoring the adequacy of an entity's computer-related controls. While\nNCUA made commendable progress in addressing the deficiencies reported last year,\nmanagement could still improve IT security controls as discussed below.\n\n1.       NCUA needs a better document management program.\n\nNCUA\xe2\x80\x99s has improved its document management since FY 06. However, management has still\nnot established an effective document management program. We inspected security policies,\nplans and procedures, but could not readily identify the most current version of some of the\ndocuments. In addition, officials did not always periodically update documents (e.g., individual\nsystem security plans did not include current GSS security categorizations). Furthermore,\nmanagement was not required to approve revisions/updates of security documentation.\n\nBy not establishing a document management system to facilitate the NCUA Information\nTechnology (IT) security program, NCUA may not be adequately protecting itself from security\nthreats in a continually changing and risk inherent IT environment.\n\nThe NIST Special Publication 800-53 Recommended Security Controls for Federal Information\nSystems provides guidance related to these conditions:\n\n         Agencies should plan, develop, and disseminate all plans, policies and procedures to\n         facilitate security planning and planning controls; obtain appropriate review and approval\n         for the security plan; and address system/organizational changes or problems identified\n         during plan implementation or security control assessments.\n\nRecommendation: We recommend that NCUA improve its document management process,\nincluding version controls, timely documentation updates and management approvals.\n\nAgency Response: Agreed.\n\nOIG Response: The OIG concurs.\n\n\n2.       NCUA has not implemented continuing education requirements for its Information\n         Technology employees.\n\nWhile all NCUA employees are required to participate in annual security awareness training,\nNCUA does not require IT employees to obtain additional security related training. Additionally,\nwe determined that NCUA employee training records and related documentation are not\ncentrally managed and are not readily available. For example:\n\n     \xe2\x80\xa2   NCUA does not track external training taken by employees. Many employees do not\n         submit training requests on the Standard Form -182 and may submit their requests via\n         memo or e-mail.\n\n\n\n\n                                                 4\n\x0c               INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                             INFORMATION SECURITY PROGRAM - 2007\n                                       Report #OIG-07-09\n\n    \xe2\x80\xa2   Although the Office of Human Resources is supposed to approve all training requests, it\n        is possible that the employees selected for testing took training and NCUA has not\n        recorded it.\n\nThe NCUA Training Guide encourages employees to request training needs, but there are no\nexpected continuing education requirements for IT employees. The guide does not define the\nnumber of training hours an employee should receive nor does it provide for a means of tracking\ntraining received. This tracking may be in the form of education units, CPE, etc.\n\nBy not requiring IT employees to take security related training and not defining a training\nrequirement program, IT employees may not have the most current technical knowledge to\neffectively protect the confidentiality, integrity, and availability of its systems and sensitive data.\n\nThe NCUA Agency Wide Information Security Policy provides guidance related to this condition:\n\n        Section 3.1.3 requires: \xe2\x80\x9cTraining oversight has two parts, general awareness training\n        and specific training for people with significant security responsibilities. The CIO will\n        review the reports specified in section 3.2.3 to ensure adequate training is planned for\n        NCUA.\xe2\x80\x9d\n\nOMB Memorandum 06-20 also provides guidance related to this condition:\n\n        Section C, Item 9 inquires if the agency has ensured that security training and\n        awareness has been provided to all employees, including contractors and those\n        employees with significant IT security responsibilities.\n\nNIST SP 800-53 also provides guidance related to this condition:\n\n        Section AT-3 states that the organization ensures system managers, system\n        administrators, and other personnel having access to system-level software have\n        adequate technical training to perform their assigned duties.\n\n        Section AT-4 states that the organization documents and monitors individual information\n        system security training activities including basic security awareness training and\n        specific information system security training.\n\n\nRecommendation: We recommend that NCUA set forth expected continuing education\nrequirements within the NCUA Training Guide for its IT employees and implement a mechanism\nto effectively track and report training taken.\n\nAgency Response: Agreed.\n\nOIG Response: The OIG concurs.\n\n\n\n\n                                                   5\n\x0c               INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                             INFORMATION SECURITY PROGRAM - 2007\n                                       Report #OIG-07-09\n\n3.     Employee enter/exit/change procedures do not ensure timely removal of\n       terminated employees\xe2\x80\x99 access to NCUA systems.\n\nAlthough NCUA has documented employee enter/exit/change procedures, they are outdated\nand do not accurately define responsibilities. NCUA management has not updated the\nprocedures since 1998. In addition, request for removal of a user account does not always\noccur timely. Furthermore, we determined that seven terminated employees still had user\naccounts which would allow them access to the NCUA network.\n\nBy not having updated, documented employee enter/exit/change procedures, NCUA employees\nwho have a role in the termination process may not fully understand their roles and\nresponsibilities. In addition, by not removing terminated employees\xe2\x80\x99 access to systems and or\napplications, NCUA increases the risk that unauthorized persons could access NCUA systems\nand sensitive data.\n\nThe NCUA Computer Infrastructure System Security Plan provides guidance related to these\nconditions:\n\n       The NCUA Computing Infrastructure System Security Plan requires that the procedures\n       found in its appendix for adding, changing and deleting an NCUA employee from the\n       network be used.\n\n       This procedure guides that when an employees enters, exits or needs changes to their\n       employee information, the responsible office will e-mail information (where applicable) to\n       the appropriate distribution lists.\n\nNIST SP 800-12, An Introduction to Computer Security: The NIST Handbook, also provides\nguidance related to these conditions:\n\n       Section 10.2.1 User Account Management, states when user accounts are no longer\n       required, the supervisor should inform the application manager and system management\n       office so accounts can be removed in a timely manner.\n\nRecommendation: We recommend that NCUA update their Windows Active Directory list to\nremove all employees that are no longer with the agency. In addition, NCUA should update\ntheir employee enter/exit/change procedures in an effort to provide management with a means\nof enforcing responsibility and accountability for all employees involved in the termination\nprocess.\n\nAgency Response: Agreed. We have since updated the Windows Active Directory and have\na mechanism in place to keep it current. NCUA will look for ways to improve the employee\nenter/exit/change.\n\nOIG Response: The OIG concurs with the actions taken\n\n\n4.     E-Authentication risk assessments for its systems need to be completed.\n\nWhile NCUA has completed formal risk assessments for its six (6) systems, NCUA did not\nspecifically address E-Authentication risk considerations. This finding is a repeat finding from\n\n\n\n                                                 6\n\x0c              INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                            INFORMATION SECURITY PROGRAM - 2007\n                                      Report #OIG-07-09\n\nthe FY 06 FISMA evaluation. NCUA has asserted that the requirement to complete an\nE-Authentication risk assessment does not apply to the agency and therefore NCUA has not\ncompleted the assessment.\n\nBy not completing an E-Authentication risk assessment, the NCUA is not compliant with OMB\npolicy and may not fully capture risks associated with their e-Government activities.\n\nOMB Memorandum M04-04 provides guidance related to this condition:\n\n       Section 1.1, states that this guidance requires agencies to review new and existing\n       electronic transactions to ensure that authentication processes provide the appropriate\n       level of assurance. Additionally, section 1.2 states that it applies to the remote\n       authentication of human users of Federal agency IT systems for the purposes of\n       conducting government business electronically (or e-government).\n\nRecommendation: We recommend that NCUA management complete the E-Authentication\nrisk assessment process in accordance with OMB Memorandum 04-04, E-Authentication\nGuidance for Federal Agencies.\n\nAgency Response: Agreed.\n\nOIG Response: The OIG concurs.\n\n\n5.     A formal agency-wide security configuration guide should be developed.\n\nAlthough the NCUA requires workstations (Windows 2000) and servers (Windows 2003) to have\nbaseline configurations that follow NIST configuration guidance, the NCUA has not developed a\nformal agency-wide security configuration guide. This is a repeat finding from the FY 06 FISMA\nevaluation.\n\nBy not establishing and implementing a formal security configuration guide, the NCUA increases\nthe risk of not consistently applying security standards across agency information technology\nresources. This could expose the NCUA systems and sensitive data to threats in the ever\nchanging and risk inherent IT environment.\n\nOMB Memorandum 06-20 provides guidance related to this condition:\n\n       Section C, Item 6 inquires if there is an agency wide security configuration policy and\n       whether configuration guides are implemented for agency systems running certain\n       software.\n\nRecommendation: We recommend that NCUA management establish and implement an\nagency-wide security configuration guide.\n\nAgency Response: Agreed. The security plan has been updated to require NIST\nconfiguration standards for all servers. We will run the base-line analyzer to ensure these\nstandards are met.\n\nOIG Response: The OIG concurs.\n\n\n\n                                                7\n\x0c                 INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                               INFORMATION SECURITY PROGRAM - 2007\n                                         Report #OIG-07-09\n\n\n\n\n6.       Incident response procedures should be followed.\n\nNCUA has an established incident response capability that is documented in an Incident\nResponse Guide. However, evidence could not be provided for the one incident identified by\nmanagement during FY 06 to support whether NCUA followed their incident response steps\noutlined in their guide. These steps include processes for identifying and reporting incidents\ninternally, for external reporting to law enforcement authorities, and for reporting to the United\nStates Computer Emergency Readiness Team (US-CERT). 1\n\nBy not documenting how NCUA addresses incidents, NCUA is not compliant with OMB policy.\nIn addition, management is not able to determine whether NCUA followed its incident response\nprocedures outlined in the Incident Response Guide and whether employees understand the\nincident response procedures. This issue may also prevent NCUA from responding in a\nsystematic manner to incidents and carrying out all necessary steps to correctly handle an\nincident in the future. Adequately documenting incidents could prevent or minimize disruption of\ncritical computing services and minimize loss or theft of sensitive or mission critical information.\n\nNCUA\xe2\x80\x99s Incident Response Guide provides guidance related to this condition:\n\n         Section 4.6 \xe2\x80\x9cFollow up\xe2\x80\x9d requires NCUA to document its response to an incident and use\n         \xe2\x80\x9clessons learned\xe2\x80\x9d to update computer security measures.\n\nOMB Memorandum 06-20 also provides guidance related to this condition:\n\n         Section C, Item 7 inquires if the agency follows documented policies and procedures for\n         identifying and reporting incidents internally, for external reporting to law enforcement\n         authorities, and for reporting to the United States Computer Emergency Readiness\n         Team (US-CERT).\n\nRecommendation: We recommend that NCUA management comply with the requirements of\nOMB Memorandum 06-20, Section C, Item 7, and specifically, with its incident response\nprocedures contained within the Incident Response Guide.\n\nAgency Response: Agreed. We will document all further incidents in compliance with our\nincident response guide and OMB guidance.\n\nOIG Response: The OIG concurs.\n\n\n7.       Personnel security awareness training program needs to be completed in FY 2007.\n\nThe NCUA has established an information security awareness program. However, as of the\ntime of our assessment, NCUA employees had not received annual security awareness training\n\n1\n The Information Security Officer stated that no incidents occurred during FY 07. One incident occurred during FY 06\nand it was being investigated at the time Grant Thornton performed the FY 06 FISMA review. Since we were unable to\ninspect the incident in FY 06, we requested information/documentation on the FY 06 incident as part of this year\xe2\x80\x99s\naudit.\n\n\n\n                                                         8\n\x0c                INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                              INFORMATION SECURITY PROGRAM - 2007\n                                        Report #OIG-07-09\n\nfor FY 07. This is a repeat finding from the FY 06 FISMA evaluation. NCUA employees have\nnot received annual security awareness training for FY 07 because NCUA is revising the NCUA\nRules of Behavior document to include a section on privacy issues. NCUA will continue its\ntraining efforts once this process is completed.\n\nBy not having all employees\xe2\x80\x99 complete security awareness training, NCUA is not compliant with\nOMB policy. In addition, untrained employees may expose NCUA to threats, which put\nconfidentiality, integrity, and availability of NCUA systems and sensitive data at risk.\n\nThe NIST SP 800-50, Building an Information Technology Security Awareness and Training\nProgram provides guidance related to these conditions:\n\n         Agencies must establish an effective security awareness and training program to ensure\n         that users are appropriately trained in the rules of behavior for the systems and\n         applications to which they have access. In addition, the guidance tasks the Chief\n         Information Officer with ensuring that effective tracking and reporting mechanisms are in\n         place.\n\nOMB Memorandum 06-20 also provides guidance related to this condition:\n\n         Section C, Item 9 inquires if the agency has ensured that security training and\n         awareness has been provided to all employees, including contractors and those\n         employees with significant IT security responsibilities.\n\n\nRecommendation: We recommend that NCUA management comply with the requirements of\nOMB Memorandum 06-20, Section C, Item 9, by ensuring that all employees and contractors\nreceive annual security awareness training by signing the NCUA Rules of Behavior document.\n\nAgency Response: Agreed.\n\nOIG Response: The OIG concurs.\n\n\n8.       NCUA\xe2\x80\x99s Plan of Actions and Milestones (POA&M) process needs improvement.\n\nNCUA program officials are not actively involved in tracking and updating the Plan of Actions\nand Milestones (POA&M) for their respective systems. In addition, none of 12 IT-related findings\nidentified in the 2006 financial statement audit report issued by Deloitte & Touche LLP were\nincluded in the POA&M. Further, there were three FY 06 FISMA report findings that were\nconsidered complete in the POA&M that were not addressed or fully completed by NCUA:\n\n     \xe2\x80\xa2   E-Authentication risk assessments not completed\n     \xe2\x80\xa2   Security configuration guides not used for all NCUA systems\n     \xe2\x80\xa2   Security planning documentation inconsistent in version control, revisions/updates\n\nWe reviewed documentation and interviewed the NCUA Information Security Officer (ISO). We\nfound the POA&M process is largely driven by updates from the ISO, instead of the ISO\nreceiving periodic updates from program officials responsible for remediation requirements.\n\n\n\n\n                                                 9\n\x0c              INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                            INFORMATION SECURITY PROGRAM - 2007\n                                      Report #OIG-07-09\n\nProgram officials are not actively identifying vulnerabilities or weaknesses and incorporating\nthem into existing POA&Ms.\n\nAs a result, the NCUA ISO faces the additional burden of tracking agency efforts to reduce risk\nand vulnerabilities by having to actively pursue status updates from program officials for their\nrespective action items. Weaknesses that program officials identify in the POA&M, but do not\nproperly address and resolve reduce NCUA\xe2\x80\x99s level of compliance with OMB requirements.\n\nOMB and FISMA require agency officials to be involved in agency efforts to review and\nperiodically update remediation efforts to correct outstanding weaknesses. In most cases,\nagencies use a POA&M process to track these efforts, which is intended to be a tool for the\nprogram official to note changes and updates, usually on a quarterly basis.\n\nRecommendation: We recommend that NCUA management implement and enforce policy\nthat requires program officials to provide POA&M status reports to the OICO. In addition, the\nISO should ensure all identified weaknesses are incorporated into the POA&M.\n\nAgency Response: Agreed.\n\nOIG Response: The OIG concurs.\n\n\n9.     Security controls testing for all of NCUA\xe2\x80\x99s FISMA systems needs to be completed.\n\nThe NCUA completed security controls testing in FY 07 for its General Support System (GSS)\nsystem. However, NCUA has not completed its FY 07 security controls testing for the\nremainder of its five FISMA systems (AMAC, NAS, ESS, CRS, and IIS). The NCUA anticipates\nsecurity testing and evaluation efforts for all of NCUA\xe2\x80\x99s systems to begin in late June and finish\nin August.\n\nUntil NCUA completes security controls testing for its systems, it may not know whether security\ncontrols in place are operating effectively. This may prevent NCUA from appropriately\nmitigating risks to an acceptable level.\n\nAs required in FISMA, the CIO shall evaluate a representative subset of systems, including\ninformation systems used or operated by an agency or by a contractor of an agency or other\norganization on behalf of an agency. OMB requires agencies to have tested security controls\nwithin the past year.\n\nRecommendation: We recommend that NCUA management complete security controls\ntesting for its FISMA systems using guidance specified by NIST SP 800-53, Recommended\nSecurity Controls for Federal Information Systems. NCUA should tailor its security controls\ntesting based on the FIPS 199 rankings assigned to each FISMA system.\n\nAgency Response: Agreed \xe2\x80\x93 most are now complete.\n\nOIG Response: The OIG concurs.\n\n\n\n\n                                                10\n\x0c                 INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                               INFORMATION SECURITY PROGRAM - 2007\n                                         Report #OIG-07-09\n\n10.       Segregation of duties should be maintained or compensating controls\n          established.\n\nWe determined that NCUA does not maintain effective segregation of duties for personnel.\nSegregation of duties issues exist in the following:\n      \xe2\x80\xa2   MSSQL database maintenance and development,\n      \xe2\x80\xa2   web application development, and\n      \xe2\x80\xa2   SAP maintenance and development.\n\nWe identified 56 segregation of duties violations when we scanned and analyzed the SAP\napplication. Additionally, two individuals interviewed revealed that they not only develop code,\nbut also promote code to the production environment, thereby violating best practices and\nsegregation of duties for application change management. We also found NCUA management\nhas not identified incompatible duties and appropriately divided those duties among personnel.\n\nManagement has indicated that although the NCUA recognizes the value of formal segregation\nof duties, resource constraints prohibit a comprehensive implementation throughout the\norganization. However, management has not articulated specific residual risk with segregation\nof duties constraints, nor defined compensating controls as required.\n\nBecause NCUA has not implemented comprehensive segregation of duties over its operational\nsystems and among its support personnel, the potential for fraud and error increases throughout\nvarious systems and processes. The impact of this condition has the potential to reach the\nexternal web presence of the organization, any database-reliant applications, and SAP data and\nprocedures.\n\nNIST Special Publication 800-53 provides guidance related to this condition:\n\n          Control AC-5 states that information systems should enforce separation of duties\n          through assigned access authorizations. The organization should establish appropriate\n          divisions of responsibility and separate duties as needed to eliminate conflicts of interest\n          in the responsibilities and duties of individuals.\n\nOMB A-130, Appendix III also provides guidance related to this condition:\n\n          It has long been recognized that the greatest harm has come from authorized individuals\n          engaged in improper activities, whether intentional or accidental. In every general\n          support system, a number of technical, operational, and management controls are used\n          to prevent and detect harm. Such controls include individual accountability, \xe2\x80\x98least\n          privilege,\xe2\x80\x99 and separation of duties.\n\n          Separation of duties is the practice of dividing the steps in a critical function among\n          different individuals. For example, one system programmer can create a critical piece of\n          operating system code, while another authorizes its implementation. Such a control\n          keeps a single individual from subverting a critical process.\n\n\n\n\n                                                   11\n\x0c               INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                             INFORMATION SECURITY PROGRAM - 2007\n                                       Report #OIG-07-09\n\nRecommendation: We recommend that NCUA management: (1) examine existing roles and\nresponsibilities to identify incompatible duties - such an effort will also require the refinement of\ncurrently ambiguous job descriptions, (2) define residual risk associated with segregation of\nduties conditions created by organizational constraints, and (3) establish compensating controls\nand ensure those controls are included in annual testing.\n\n\nAgency Response: We agree in principle. Due to the size of our office, we will need to review\neach of these items and determine if there is anything we can improve.\n\nOIG Response: The OIG concurs.\n\n\n11.    NCUA vulnerability management needs improvement.\n\nWe determined that a remote version of Remote Desktop Protocol Server (Terminal Service) is\nrunning on the SAP server. This vulnerability could allow an attacker to intercept and encrypt\ncommunications between a client and server and obtain sensitive information such as\npasswords. Additionally, we discovered several ports/communication services available on the\nSAP and AIRES servers may be unnecessary. NCUA does not periodically evaluate the\nnumber of open ports and services on their servers in accordance with an established process\nof managing vulnerabilities and secure configurations.\n\nBy not restricting the number of ports and communication services NCUA increases the risk of\nan unauthorized person gaining access to the systems. Management should correlated ports\nand services to a business need and the services required to meet that business need.\n\nNIST SP 800-53 provides guidance related to this condition:\n\n       Appendix F, CA-2 states the organization conducts an assessment of the security\n       controls in the information system to determine the extent to which the controls are\n       implemented correctly, operating as intended, and producing the desired outcome with\n       respect to meeting the security requirements for the system.\n\nRecommendation: We recommend that NCUA management review the need for the Remote\nDesktop Protocol Server on the SAP server. If valid, we recommend that NCUA implement\nsteps to address the weakness, such as requiring the use of Secure Socket Layer (SSL) for this\nservice.\n\nWe also recommend that NCUA management implement a procedure to periodically review the\nnumber of open ports and services on NCUA servers to assess whether there is a business\nneed for them to be active.\n\nAgency Response: Agreed.\n\nOIG Response: The OIG concurs.\n\n\n\n\n                                                 12\n\x0c"